Raphaël Pinson for Camptocamp Infrastructure Solutions

Posted on May 8, 2020 • Edited on Jun 12, 2020 • Originally published at camptocamp.com

Deploying public keys in Docker containers

#devops #showdev #opensource #docker

One of the hard problems to solve when using Docker in production is deploying secrets. In particular, public keys are hard to deploy because they are multiline and there is usually one key per authorized user.

Since all our users have accounts on GitHub with their SSH key, it made sense to us to use GitHub as a centralized PKI for SSH keys. Starting with a simple Ruby script connecting to the GitHub API, we soon realized we would need a generic way of deploying public keys from GitHub if we persisted in this approach.

This gave birth to the github_pki, a generic command line tool using the GitHub API to deploy SSH and X509 keys from GitHub organizations, teams, and individual users.

Installing can be done from source:

FROM debian:jessie

ENV GOPATH=/go
RUN apt-get update && apt-get install -y golang-go git \
  && go get github.com/camptocamp/github_pki \
  && apt-get autoremove -y golang-go git \
  && rm -rf /var/lib/apt/lists/*

Or by inheriting one of the official Docker images.

The github_pki command can then simply be called from within an entrypoint script to deploy keys:

#!/bin/sh

# Deploy users keys as X509 public keys to SSL_DIR
SSL_DIR=/etc/puppetlabs/mcollective/clients /go/bin/github_pki

# Deploy user keys as an authorized_keys file
AUTHORIZED_KEYS=/root/.ssh/authorized_keys /go/bin/github_pki

Various environment variables can be used to tune which keys should be deployed:

$ docker run -e AUTHORIZED_KEYS=/root/.ssh/authorized_keys \
             -e SSL_DIR=/etc/test/ssl \
             -e GITHUB_ORG="myorg" \
             -e GITHUB_TEAM="mypals" \
             -e GITHUB_USERS="otheruser" \
             -e GITHUB_TOKEN=398d6d326a546d40f3f1ef93345d1fc5ee0f0j38 \
             mydockerimage
run-parts: executing /docker-entrypoint.d/25-populate-ssl-clients.sh
time="2016-03-22T09:45:52Z" level=info msg="Adding users for team mypals" 
time="2016-03-22T09:45:52Z" level=info msg="Adding user bob" 
time="2016-03-22T09:45:52Z" level=info msg="Adding user alice" 
time="2016-03-22T09:45:52Z" level=info msg="Adding individual user otheruser" 
time="2016-03-22T09:45:53Z" level=info msg="Getting keys for user bob" 
time="2016-03-22T09:45:53Z" level=info msg="Getting keys for user alice" 
time="2016-03-22T09:45:53Z" level=info msg="Getting keys for user otheruser"
time="2016-03-22T09:45:59Z" level=info msg="Generating /root/.ssh/authorized_keys" 
time="2016-03-22T09:45:59Z" level=info msg="Dumping X509 keys to /etc/puppetlabs/mcollective/clients" 
time="2016-03-22T09:45:59Z" level=info msg="Converting key bob/1325852 to X509" 
time="2016-03-22T09:45:59Z" level=info msg="Converting key alice/123756 to X509" 
time="2016-03-22T09:45:59Z" level=info msg="Converting key alice/7845928 to X509" 
time="2016-03-22T09:45:59Z" level=info msg="Converting key otheruser/8540586 to X509"

This blog post was originally published on camptocamp.com

Hands-on debugging session: instrument, monitor, and fix

Join Lazar for a hands-on session where you’ll build it, break it, debug it, and fix it. You’ll set up Sentry, track errors, use Session Replay and Tracing, and leverage some good ol’ AI to find and fix issues fast.

RSVP here →

DEV Community

Deploying public keys in Docker containers

Hands-on debugging session: instrument, monitor, and fix

Top comments (0)

The Next Generation Developer Platform

Read next

Interview Questions on AWS Networking: VPC, Load Balancers, and Auto Scaling

Container Orchestration with Kubernetes

Optimise AWS Costs: Automate Unused EBS Snapshot Cleanup with Lambda

How to Use AutoHotkey to Managing Multiple Monitors: A Practical Guide

Okay